Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

The Joomla project pushed out new updates for its popular content management system Wednesday after a glitch was found in the high-priority security patches it released a day before.

The Joomla project pushed out new updates for its popular content management system Wednesday after a glitch was found in the high-priority security patches it released a day before.

Joomla versions 3.3.5, 3.2.6 and 2.5.26 were released Tuesday to patch a moderate-risk remote file inclusion vulnerability and a denial-of-service issue. However, hours after the updates were made available, Joomla's developers issued an urgent request for users to delay upgrading.

"Unfortunately, due to a small technical issue we need to release another version very soon," the project said on Facebook, apologizing for the situation.

New Joomla versions 3.3.6, 3.2.7 and 2.5.27 were released Wednesday to address the newly identified issue and a few others.

"This release addresses an issue related to the core update component, one regression in the user password reset process, and adds a fallback upgrade mechanism for the update component," the Joomla Project said in the new release notes.

Users who already deployed Tuesday's patches will not be able to upgrade to new Joomla versions through the normal update component, and will have to use the Extension Manager instead.

Remote file inclusion vulnerabilities are dangerous because they can allow attackers to install backdoors on vulnerable sites and modify files hosted on site servers. However, in the case of this particular Joomla flaw the risk is reduced because the attacker needs to time an attack for exactly when a Joomla package is being extracted during an update operation.

According to Web software development firm Akeeba, whose products are also affected by the issue, the attack window is typically five to 90 seconds and requires the attacker to know when this operation will occur.

"Due to the special conditions required merely having the affected software installed DOES NOT make your site vulnerable," the firm said in a security advisory. "However, this security issue can be used for targeted attacks against valuable targets."